You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Hijacked And Losing The Fight So Far

Hello Helpful People. I come to beg help another time. Looks like some nefarious and souless being has brought me a present I can't whip without your terrific help.I ran through all the steps that I could before this posting and removed may items using the recommended programs. I had difficulty with the TrendMicro site and then could not connect to the others. I am getting popups, redirects and additional viruses at a phenomenal rate.Help please.Waiting with patience

BC AdBot (Login to Remove)

Hello there and welcome to Bleeping Computer's security forum.My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options.Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.Uncheck: Hide file extensions for known file typesUncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Web Buying <--if present

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

Click on Fix Checked when finished and exit HijackThis.Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.This can be done tapping the F8 key as soon as you start your computer You will be brought to a menu where you can choose to boot into safe mode. Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

Follow the prompts that will be displayed on the screen.Don't click on the window while the fix is running, because that will cause your system to hang.When finished, it should produce a log, combofix.txt.Post this log in your next reply together with a new hijackthislog.

Hello David and thank you for such a fast reply !I have done what you instructed and did not find the Web Buying in add/remove, nor did I find these eitherC:\Documents and Settings\Scott\Desktop\TICHD001.exeC:\Program Files\Web Buying <--folderC:\WINDOWS\system32\qijimuj.dll.

I have also noticed that I am getting at startup a windows installer window for a .NET Framework for something called PhotoGallery that I can only quit by using cntl alt delete. Perhaps I caused this with HJT? or it is related to the problem.

Hi there, let's continue.. Thanks for letting me know about the .net framework trying to load.I'm going to take a look at another log in a bit, which digs a bit deeper.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options.Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.Uncheck: Hide file extensions for known file typesUncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

Click on Fix Checked when finished and exit HijackThis.Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.This can be done tapping the F8 key as soon as you start your computer You will be brought to a menu where you can choose to boot into safe mode. Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\uni_eh43.exeC:\WINDOWS\uninst1014.exeC:\WINDOWS\meta4.exe

I want you to clean your cache and cookies from your internet explorer.There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer . ° Go to your control panel and open "Internet Options". ° Click on the "General" tab. ° Click the "Delete Cookies" button, then the "Delete Files" button. ° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button. ° Type the following in the box --> cleanmgr and click ok. ° Let it scan your system for files to remove. ° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked. ° Press OK to remove them.

Please open notepad and and copy and paste next bold in it:(don't forget to copy and paste REGEDIT4)

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.It should look like this: Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Download Silent Runners and extract it to a new folder on your Desktop.Run the Silent Runners.vbs file.You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run. This script is not malicious so please allow it.A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box.---------- (total run time: 108 seconds, including 49 seconds for message boxes)

And the qindows installer for PhotoGallery still tries to launch and I cancelled it again with cntlr alt del

Hello David, all seems to be operating fine, but I am only using the Firefox browser for fear of using the IE6 that seems to be susceptible? to these malware/trojan attacks.
I am still having the .NET window opening on boot even after I had HJT delete the O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe as you directed me to do.
hpqimzone.exe is the process that is running in the task manager when the PhotoGallery is trying to load and the .NET Farmework windows opens and is telling me about an unhandled exception has occurred. It indicates that I should invoke a just-in-time (JIT) debugging.
Well here is what it says:

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** JIT Debugging **************
To enable just in time (JIT) debugging, the config file for this
application or machine (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

I see a clean log here, there are no signs of malware or anything that may cause the photogallery problems you are having. I recommend that you post your question in the following forum as you will recieve better help there. Let them know you have had your Hijackthis log checked, and it isn't a serious security issue.Windows XP Home and Professional

Glad I could help! Good luck finding the solution! Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software - * It is very important that your computer has an anti-virus software running on your machine. * This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: * Click here for more information on -> Computer Safety On line - Anti-Virus* I would recommend Grisoft's AVG or AVAST. * These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - * I can not stress how important it is that you use a Firewall on your computer. * Without a firewall your computer is susceptible to being hacked and taken over. * Simply using a Firewall in its default configuration can lower your risk greatly. * For an article on Firewalls and a listing of some available ones see the link below: * Click here for more information on -> Computer Safety On line - Software Firewalls* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently - * It is important that you visit http://www.windowsupdate.com regularly. * This will ensure your computer has always the latest security updates available installed on your computer. * If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. If you wish to learn how to use HijackThis to remove malware, you might like to join the Malware Removal Training Program!